Computing maximally-permissive strategies in acyclic timed automata
CComputing maximally-permissive strategiesin acyclic timed automata (cid:63)
Emily Clement , , Thierry J´eron , Nicolas Markey , andDavid Mentr´e IRISA, Inria & CNRS & Univ. Rennes, France [email protected] Mitsubishi Electric R&D Centre Europe – Rennes, France [email protected]
Abstract.
Timed automata are a convenient mathematical model formodelling and reasoning about real-time systems. While they providea powerful way of representing timing aspects of such systems, timedautomata assume arbitrary precision and zero-delay actions; in particular,a state might be declared reachable in a timed automaton, but impossibleto reach in the physical system it models.In this paper, we consider permissive strategies as a way to overcomethis problem: such strategies propose intervals of delays instead of singledelays, and aim at reaching a target state whichever delay actually takesplace. We develop an algorithm for computing the optimal permissive-ness (and an associated maximally-permissive strategy) in acyclic timedautomata and games.
Timed automata [AD94] are a powerful formalism for modelling and reasoningabout real-time computer systems: they offer a convenient way of modellingtiming conditions (not relying on discretization) while allowing for efficientverification algorithms; as a consequence, they have been widely studied by theformal-verification community, and have been applied to numerous industrial casestudies thanks to advanced tools such as Uppaal [BDL + + (cid:63) This work was partially funded by ANR project Ticktac (ANR-18-CE40-0015). a r X i v : . [ c s . F L ] J u l ay add new behaviours, which have to be taken into account in the safety check.In that setting, guard enlargement [Pur00, DDMR04] has been proposed as away to model the fact that some timing conditions might be considered trueeven if they are (slightly) violated: the existence of an enlargement value forwhich the set of executions is safe is decidable. When dealing with reachabilityproperties, timing imprecisions may prevent a run to be valid. A topologicalapproach has been proposed, where a state is declared reachable only if there isa tube of trajectories reaching the target state [GHJ97]. Game-based approacheshave also been proposed, where a state is said reachable if there is a strategy toreach this state when an opponent player is allowed to modify (up to a certainpoint) the values of the delays [BMS15, BFM15].In this paper, we build on the approach of [BFM15], where the authors aimat computing maximally-permissive strategies for reaching a target state. Whilein classical timed automata, reachability is witnessed by a sequence of delaysand transitions leading to a target state, here the aim is to propose intervals ofdelays, leaving it to an opponent player to decide which delay will indeed takeplace. Of course, the strategy has to be able to respond to any choice of theopponent, eventually reaching the target state.We can then have several ways of measuring permissiveness of a strategy,the general idea being that larger intervals of delays are preferred. In [BFM15],each interval is associated with a penalty, which is the inverse of the length ofthe interval. Penalties are summed up along paths, and maximally-permissivestrategies are those having minimal worst-case penalty. This favours both largeintervals and short paths, but computing optimal strategies could only be achievedin the case of one-clock timed automata in [BFM15].In the present paper, permissiveness of a strategy is defined as the size of thesmallest interval proposed by that strategy. We develop an algorithm to computethe permissiveness of any (winning) configuration in acyclic timed automata andgames, with any number of clocks. Consider for instance a scheduling problem,where a number of tasks have to be performed in a certain order within a givendelay. Classical reachability algorithms would just say whether a given set oftasks are schedulable (in the mathematical model); this then requires launchingsome of the tasks at very precise dates, as the computed schedule need not becorrect if delays are slightly modified. Instead, our algorithm could compute thepermissiveness of the best schedule, thereby measuring the amount of imprecisionthat can be allowed, depending on the deadline by which all tasks have to befinished.This paper is organized as follows: in Section 2, we introduce the necessarydefinitions, in particular of timed automata and permissiveness of strategies,and prove basic results. Section 3 is devoted to solving the case of linear timedautomata, where all states have at most one outgoing transition, thereby focusingonly on choices of delays. Section 4 extends this to acyclic timed automata andgames.By lack of space, most of the proofs could not be included in this version ofthe paper. They can be found in the long version [CJMM20] of this article. Definitions
A valuation for a set C of variables is a mapping v : C → R ≥ , assigning anonnegative real value to each variable. We write for the valuation definedas ( c ) = 0 for any c ∈ C . We write ( R ≥ ) C for the set of valuations for C ,which we identify with ( R ≥ ) n when C has exactly n variables. We write R for R ∪ {−∞ ; + ∞} . Definition 1. An n -dimensional affine function is a mapping f : R n ≥ → R s.t. – either there exists a vector ( F k ) ≤ k ≤ n ∈ R n +1 such that f ( v ) = F + (cid:80) ≤ i ≤ n F i · v i ; – or f ( v ) = −∞ for all v ∈ R n ≥ ; in that case we can still write f ( v ) = F + (cid:80) ≤ i ≤ n F i · v i , by setting F = −∞ and F i = 0 for all ≤ i ≤ n ; – or f ( v ) = + ∞ for all v ∈ R n ≥ ; similarly, this corresponds to setting F = + ∞ and F i = 0 for all ≤ i ≤ n .A linear function f is an affine function for which f ( ) = 0 . If Φ = ( ϕ k ) ≤ k ≤ m is a set of n -dimensional affine functions and b = ( b k ) ≤ k ≤ m is a set of intervals, we write (cid:74) Φ, b (cid:75) for the intersection (cid:84) ≤ k ≤ m ϕ − k ( b k ). Thisdefines a convex polyhedron of R n ≥ .An n -dimensional piecewise-affine function is a mapping f : R n ≥ → R forwhich there exists a partition S = ( S k ) ≤ k ≤ m of R n ≥ into convex polyhedra, anda family ( f k ) ≤ k ≤ m of affine functions such that for any x ∈ R n ≥ , writing k forthe (unique) index in [1; m ] such that x ∈ S k , it holds f ( x ) = f k ( x ). Given a valuation v and a nonnegative real d , we denote with v + d the valuation w such that w ( c ) = v ( c ) + d for all c ∈ C . For any subset I ⊆ R ≥ , we write v + I for the set of valuations { v + d | d ∈ I } . Given a valuation v and a subset r ⊆ C ,we write v [ r →
0] for the valuation w such that w ( c ) = 0 if c ∈ r and w ( c ) = v ( c )if c / ∈ r .The set of linear constraints over C is defined as G ( C ) (cid:51) g ::= c ∼ n | g ∧ g where c ranges over C , n ranges over N , and ∼ ∈ { <, ≤ , = , ≥ , > } . That a clockvaluation v satisfies a clock constraint g , denoted v | = g (and sometimes v ∈ g ,seeing g as a convex polyhedron), is defined inductively as v | = c ∼ n ⇔ v ( c ) ∼ n v | = g ∧ g ⇔ v | = g and v | = g For the rest of this paper, we fix a finite alphabet Σ . Definition 2 ([AD94]). A timed automaton over Σ is a tuple A = ( C , L,T, I ) where C is a finite set of clocks, L is a finite set of states (or locations ),and T ⊆ L × G ( C ) × Σ × C × L is a finite set of transitions, and I : S → G ( C ) define the invariant constraints in locations. configuration of a timed automaton is a pair ( (cid:96), v ) where (cid:96) is a locationof the automaton and v is a clock valuation such that v | = I ( (cid:96) ). The semanticsof timed automata can be defined as an infinite-state labelled transition systemwhose states are the set of configurations, and whose transitions are of two kinds: – delay transitions model time elapsing: no transitions of the timed automatonare taken, but the values of all clocks are augmented by the same value.For any configuration ( (cid:96), v ) and any delay d ∈ R ≥ , there is a transition( (cid:96), v ) d −→ ( (cid:96), v + d ), provided that v + d | = I ( (cid:96) ); – action transitions represent the effect of taking a transition in the timedautomaton. For any configuration ( (cid:96), v ) and any transition t = ( (cid:96), g, a, r, (cid:96) (cid:48) ),if v | = g , then there is a transition ( (cid:96), v ) a −→ ( (cid:96) (cid:48) , v [ r → v [ r → | = I ( (cid:96) (cid:48) ).We write ( (cid:96), v ) d,a −−→ ( (cid:96) (cid:48) , v (cid:48) ) when there exists ( (cid:96) (cid:48)(cid:48) , v (cid:48)(cid:48) ) such that ( (cid:96), v ) d −→ ( (cid:96) (cid:48)(cid:48) , v (cid:48)(cid:48) )and ( (cid:96) (cid:48)(cid:48) , v (cid:48)(cid:48) ) a −→ ( (cid:96) (cid:48) , v (cid:48) ). A run of a timed automaton is a sequence of con-figurations ( (cid:96) i , v i ) i such that there exists d ∈ R ≥ and a ∈ Σ such that( (cid:96) i , v i ) d,a −−→ ( (cid:96) i +1 , v i +1 ) for all i . Even if it means adding a sink state and corre-sponding transitions, we assume that from any configuration, there always existsa transition d,a −−→ for some d ∈ R ≥ and some a ∈ Σ . This way, any finite run canbe extended into an infinite run (in terms of its number of transitions). We alsoassume that, from any location (cid:96) and any action a , there is at most one transitionfrom (cid:96) labelled with a .One of the most basic problems concerning timed automata is that of reacha-bility of a location: given a timed automaton A , a source configuration ( (cid:96) , v )(usually assuming v = ) and a target location (cid:96) f , it amounts to decidingwhether there exists a run from ( (cid:96) , v ) to some configuration ( (cid:96) f , v f ) in theinfinite-state transition system defining the semantics of A . This problem has beenproven decidable (and PSPACE -complete) in the early 1990s [AD94], using regionequivalence , which provides a finite-state automaton that is (time-abstracted)bisimilar to the original timed automaton.
Solving reachability using the algorithm above, we can obtain a sequence ofdelays and transitions to be taken for reaching the target location. Playing thissequence of delays and transitions however requires infinite precision in order tomeet all timing constraints, which might not be possible on physical devices.In this paper, we address this problem by building on the setting studiedin [BFM15]: in that setting, the delays that are played may be slightly perturbed,and it can be required to adapt the future delays (and possibly actions) so as tomake sure that the target is indeed reached.We encode the imprecisions using a game setting: the player proposes aninterval of possible delays (together with the action to be played), and its opponentselects, in the proposed interval, the exact delay that will take place.ormally, in our setting, a move from some configuration ( (cid:96), v ) is a pair (
I, a ),where I ⊆ R ≥ is a closed interval, possibly right-unbounded, and a ∈ Σ , suchthat there is a transition ( (cid:96), g, a, r, (cid:96) (cid:48) ) for which v + I ⊆ g ( i.e. , for any valuation w ∈ v + I , it holds w | = g ). We write moves ( (cid:96), v ) for the set of moves from ( (cid:96), v ).A permissive strategy is a function σ mapping finite runs ( (cid:96) i , v i ) ≤ i ≤ n tomoves in moves ( (cid:96) n , v n ). A run ρ = ( (cid:96) i , v i ) i is compatible with a permissivestrategy σ if, for any finite prefix π = ( (cid:96) i , v i ) ≤ i ≤ j of ρ , σ ( π ) is defined and,writing σ ( π ) = ( I, a ), there exists d ∈ I such that ( (cid:96) j , v j ) d,a −−→ ( (cid:96) j +1 , v j +1 ).A permissive strategy σ is winning from a given configuration ( (cid:96) , v ) if anyinfinite run originating from ( (cid:96) , v ) that is compatible with σ is winning (which,in our setting, means that it visits the target location (cid:96) f ). Notice that classicalstrategies (which propose single delays instead of intervals of delays) are specialcases of permissive strategies. It follows that, as soon as there is a path from someconfiguration ( (cid:96), v ) to (cid:96) f , there exists a winning permissive strategy from ( (cid:96), v )(possibly proposing punctual intervals). Such configurations are said winning,and the winning zone is the set of all winning configurations.Our aim is to compute maximally-permissive winning strategies. In this work,we measure the permissiveness of a strategy σ in a configuration ( (cid:96), v ), denoted Perm σ ( (cid:96), v ), as the length of the smallest interval it may return. Formally: Definition 3.
Let σ be a permissive strategy, and ( (cid:96), v ) be a configuration of A .The permissiveness of σ in ( (cid:96), v ) , denoted with Perm σ ( (cid:96), v ) , is defined as follows: – if σ is not winning from ( (cid:96), v ) , the permissiveness of σ in ( (cid:96), v ) is −∞ ; – otherwise, Perm σ ( (cid:96), v ) = inf {| I | | ∃ π. σ ( π ) = ( I, a ) for some a } .The permissiveness of configuration ( (cid:96), v ) is then defined as Perm ( (cid:96), v ) = sup σ Perm σ ( (cid:96), v ) . In this paper, we prove that
Perm is a piecewise affine function, and develop analgorithm for computing that function. Intuitively, this corresponds to computinghow much precision is needed in order to reach the target configuration.
Remark 4.
Notice that our definition of permissiveness is similar in spirit withthat of [BFM15]. However, in [BFM15], each move (
I, a ) was associated a penalty(namely 1 / | I | ), and penalties are summed up along the execution. This tendsto make the player favour shorter paths with possibly small intervals (hencedemanding more accuracy when playing) over long paths with larger intervals.Our setting only aims at maximizing the size of the smallest interval to be played.Our work can also be seen as a kind of quantitative extension of tubes oftrajectories of [GHJ97]: permissiveness could be seen as the minimal width ofsuch a tube. However, we are in a game-based setting, and (except in Section 3)the strategy could suggest to take different transitions if they allow for morepermissiveness. We only consider closed intervals here to simplify the presentation. inally, and perhaps more importantly, our setting is quite close to thatof [BMS15], but with a more quantitative focus: we aim at computing the optimalpermissiveness for all winning configurations (with reachability objective), whileonly a global lower bound (of the form 1 /m where m is doubly-exponential inthe size of the input) is obtained in [BMS15]. Similar results to those of [BMS15]are obtained in [SBMR13, BGMRS19] for B¨uchi objectives; such extensions arepart of our future work. Remark 5.
The term permissive strategy is sometimes used to refer to non-deterministic , returning the set of all moves that lead to winning configurations.In particular, Uppaal-Tiga [BCD +
07] can compute maximally-permissive strate-gies in that sense. But this is only a local view of permissiveness, while our aimis to allow for high permissiveness all along the execution.
Towards computing
Perm , we define: P i ( (cid:96) f , v ) = + ∞ for all valuations v and all i ≥ P ( (cid:96), v ) = −∞ for all valuations v , and for all (cid:96) (cid:54) = (cid:96) f ; P i +1 ( (cid:96), v ) = sup ( I,a ) ∈ moves ( (cid:96),v ) min( | I | , inf {P i ( (cid:96) (cid:48) , v (cid:48) ) | ∃ d ∈ I. ( (cid:96), v ) d,a −−→ ( (cid:96) (cid:48) , v (cid:48) ) } )if moves ( (cid:96), v ) (cid:54) = ∅ −∞ otherwiseIn the rest of section, we prove some basic properties of this sequence offunctions, and in particular its link with permissiveness. The next sections willbe devoted to its computation on acyclic timed automata.Our first two results are concerned with the evolution of the sequence with i .They are proved by straightforward inductions. Lemma 6.
For any ( (cid:96), v ) , the sequence ( P i ( (cid:96), v )) i ∈ N is nondecreasing. Lemma 7.
If the longest path from (cid:96) to (cid:96) f has at most i transitions, then forany v and any j ≥ , it holds P i + j ( (cid:96), v ) = P i ( (cid:96), v ) . The following lemma ties the link between the sequence ( P i ) and permissiveness: Proposition 8.
For any i ∈ N and for any configuration ( (cid:96), v ) , it holds:1. P i ( (cid:96), v ) = −∞ if, and only if, there are no runs of length at most i from ( (cid:96), v ) to (cid:96) f ;2. for any p ∈ R ≥ , and any i ∈ N , it holds P i ( (cid:96), v ) > p if, and only if, thereis a permissive strategy with permissiveness larger than p that is winningfrom ( (cid:96), v ) within i steps.roof. We begin with the first equivalence, which we prove by induction on i .The result is trivial for i = 0. Now, assume that the result holds up to index i .There may be two reasons for having P i +1 ( (cid:96), v ) = −∞ for some ( (cid:96), v ): either moves ( (cid:96), v ) is empty, or it is not empty and for any ( I, a ) ∈ moves ( (cid:96), v ), it holdsinf {P i ( (cid:96) (cid:48) , v (cid:48) ) | ∃ d ∈ I. ( (cid:96), v ) d,a −−→ ( (cid:96) (cid:48) , v (cid:48) ) } = −∞ . This is true in particular when I = { d } is punctual: for any ( d, a ), the succes-sor ( (cid:96) (cid:48) , v (cid:48) ) such that ( (cid:96), v ) d,a −−→ ( (cid:96) (cid:48) , v (cid:48) ) is such that P i ( (cid:96) (cid:48) , v (cid:48) ) = −∞ . From theinduction hypothesis, there can be no path from those ( (cid:96) (cid:48) , v (cid:48) ) to (cid:96) f with i stepsor less. Hence there are no paths from ( (cid:96), v ) to (cid:96) f with at most i + 1 steps.Conversely, if there are no paths having at most i + 1 steps from ( (cid:96), v ) to (cid:96) f ,then either this is because moves ( (cid:96), v ) = ∅ , or this is because all moves leadto a configuration from which there are no paths of length at most i to (cid:96) f .By induction hypothesis, all successor configurations have infinite P i , hence also P i +1 ( (cid:96), v ) = −∞ .We now prove the second claim, still by induction. The base case is againtrivial. Now, assume that the result holds up to some index i . We fix some p ∈ R ≥ ,and first consider a configuration ( (cid:96), v ) with P i +1 ( (cid:96), v ) > p . This entails that moves ( (cid:96), v ) is non-empty, and that there is a move ( I, a ) with | I | > p such that P i ( (cid:96) (cid:48) , v (cid:48) ) > p for all ( (cid:96) (cid:48) , v (cid:48) ) such that ( (cid:96), v ) d,a −−→ ( (cid:96) (cid:48) , v (cid:48) ) with d ∈ I . Applying theinduction hypothesis, there is an i -step winning strategy with permissivenesslarger than p from each successor configuration ( (cid:96) (cid:48) , v (cid:48) ), from which we can buildan i + 1-step winning strategy with permissiveness larger than p from ( (cid:96), v ).Conversely, pick an i + 1-step winning strategy σ p from ( (cid:96), v ) with permis-siveness larger than p . Write σ p ( (cid:96), v ) = ( I , a ). Then for any d ∈ I , in thelocation ( (cid:96) (cid:48) , v (cid:48) ) such that ( (cid:96), v ) d,a −−−→ ( (cid:96) (cid:48) , v (cid:48) ), strategy σ p is an i -step winningstrategy with permissiveness larger than p , so that, following the induction hy-pothesis, P i ( (cid:96), v ) > p . It immediately follows that P i +1 ( (cid:96), v ) > p . (cid:3) Our next three results focus on properties of the functions P i . First, we identifyzones on which P i is constant. This will be useful for proving correctness of ouralgorithm computing P i in the next section: Lemma 9.
Let A be a timed automaton, with maximal constant M . Let (cid:96) be alocation, and i ∈ N . Take two valuations v and v (cid:48) such that, for any clock c , wehave either v ( c ) = v (cid:48) ( c ) , or v ( c ) > M and v (cid:48) ( c ) > M . Then P i ( (cid:96), v ) = P i ( (cid:96), v (cid:48) ) . Next we prove that the functions P i are 2-Lipschitz continuous (on the zonewhere they take finite values): Proposition 10.
For any integer i ∈ N and any location (cid:96) , the function τ (cid:96) : v (cid:55)→P i ( (cid:96), v ) is -Lipschitz on the set of valuations where it takes finite values. Finally, the following lemma shows the (rather obvious) fact that P i ( (cid:96), v + t ) ≤P i ( (cid:96), v ). A consequence of this property is that, for any non-resetting transition,the optimal choice for the opponent is the largest delay in the interval proposed byhe player . This corresponds to the intuition that by playing later, the opponentwill force the player to react faster at the next step. As Example 1 below shows,this is not the case in general: in that example, from ( (cid:96) , (cid:104) x = 0; y = 0 (cid:105) ), if theplayer proposes interval [1 /
4; 1], the optimal choice for the opponent is d = 1 / Lemma 11.
Let ( (cid:96), v ) be a configuration, t ∈ R ≥ such that ( (cid:96), v + t ) is aconfiguration of the automaton, and i ∈ N . Then P i ( (cid:96), v ) − t ≤ P i ( (cid:96), v + t ) ≤P i ( (cid:96), v ) .Example 1. Consider the automaton of Fig. 1. We compute the optimal permis-siveness (and corresponding strategies) for this small example. First, P i ( (cid:96) f , v ) =+ ∞ for all i , and P ( (cid:96) , v ) = P ( (cid:96) , v ) = −∞ . (cid:96) (cid:96) (cid:96) f ≤ x ≤ ≤ y ≤ y :=0 1 ≤ x ≤ ≤ y ≤
112 1 − x − y x − y −∞ −∞ xy
00 11 xy x − y − x − y −∞ −∞−∞
00 11 2
Fig. 1.
A linear timed automaton and its permissiveness at (cid:96) and (cid:96) We first focus on (cid:96) , with some valuation v : obviously, if v ( x ) > v ( y ) > moves ( (cid:96) , v ) is empty, and P ( (cid:96) , v ) = −∞ in that case; similarly if v ( y ) > v ( x ). Since P ( (cid:96) f , v ) does not depend on v , the optimal move for theplayer is the largest possible interval satisfying the guard: – if v ( x ) ≤ v ( y ) ≤ v ( x ) ≤ v ( y )), the optimal interval of delays is[1 − v ( x ); 1 − v ( y )], whose length is v ( x ) − v ( y ); – if v ( y ) ≤ ≤ v ( x ) ≤
2, the transition is immediately available, so that thelower bound of the interval will be 0. For the upper bound, there are twocases: • if v ( y ) ≥ v ( x ) −
1, the optimal interval is [0; 1 − v ( y )]; • if v ( y ) ≤ v ( x ) −
1, the optimal interval is [0; 2 − v ( x )]. This also holds for any transition in a one-clock timed automaton (because in casethe clock is reset, the new valuation does not depend on the delay chosen by theopponent). his defines the permissiveness for (cid:96) .We now look at (cid:96) : first, P ( (cid:96) , v ) = −∞ for all v , and only configura-tions ( (cid:96) , v ) where v ( x ) ≤ v ( y ) ≤ P ( (cid:96) , v ) = −∞ as soon as v ( x ) > v ( y ) >
1. Fix a valuation v for which v ( x ) ≤ v ( y ) ≤
1. We have to find the interval I = [ α, β ] such that v ( x ) + β ≤ v ( y ) + β ≤
1, and for which min { β − α, inf γ ∈ [ α,β ] P ( (cid:96) , ( v + γ )[ y → } ismaximized. Noticing that ( v + γ )[ y →
0] is the valuation ( x (cid:55)→ v ( x ) + γ ; y (cid:55)→ P ( (cid:96) , w ) = w ( x ) for any w satisfying w ( x ) ∈ [0; 1] and w ( y ) = 0,we have to maximize min { β − α, inf γ ∈ [ α,β ] v ( x ) + γ } over the domain defined by0 ≤ α ≤ β ≤ min(1 − v ( x ); 1 − v ( y )). Obviously, inf γ ∈ [ α,β ] v ( x ) + γ = v ( x ) + α ,so we have to maximize min { β − α, v ( x ) + α } on the set { ( α, β ) | ≤ α ≤ β ≤ min(1 − v ( x ); 1 − v ( y )) } .We consider two cases: – if v ( y ) ≤ v ( x ): clearly, it is optimal to maximize β , so we let β = 1 − v ( x ).Hence we have to maximize min { − ( v ( x )+ α ) , v ( x )+ α } over 0 ≤ α ≤ − v ( x ).Again, there are two cases, depending on whether v ( x ) is larger or smallerthan 1 /
2; in the former case, min { − ( v ( x ) + α ) , v ( x ) + α } = 1 − v ( x ) − α when α ranges over [0; 1 − v ( x )]; it is maximized for α = 0, and we get P ( (cid:96) , v ) = 1 − v ( x ). If v ( x ) ≤ /
2, the maximal value is reached when α = 1 / − v ( x ), and P ( (cid:96) , v ) = 1 / – if v ( y ) ≥ v ( x ): then it is optimal to let β = 1 − v ( y ). Again there are twocases for maximizing min { − v ( y ) − α, v ( x ) + α } : if 1 − v ( y ) ≤ v ( x ), then α = 0 is optimal, and P ( (cid:96) , v ) = 1 − v ( y ); otherwise, α = (1 − v ( x ) − v ( y )) / P ( (cid:96) , v ) = (1 − v ( y ) + v ( x )) / x and y in place of v ( x ) and v ( y )).Our aim in the rest of this paper is to compute the sequence of functions P i ,and to evaluate the complexity of this computation. Following Lemma 7, thiswill provide us with an algorithm for computing permissiveness in acyclic timedautomata. In this section, we consider the simpler case of linear timed automata, whereeach location has at most one successor.
We begin with focusing on the optimal choice of the opponent: given a con-figuration ( (cid:96), v ) and an interval I of delays proposed by the player (there is asingle outgoing transition, so the action to be played is fixed), what is the bestdelay that the opponent will choose so as to minimize the permissiveness of theresulting configuration?s we already mentioned, Lemma 11 answers this question for non-resettingtransitions: for such transitions, the best option for the opponent is to choosethe maximal delay in the interval proposed by the player. On the other hand,Example 1 provides a situation where the opponent prefers to play as early aspossible.It turns out that, for linear timed automata, the optimal choice of the opponentis always one of these two extremal choices. This property will be a corollary ofthe following lemma, stating concavity of the permissiveness function in lineartimed automata: Proposition 12.
Let i ∈ N . Let (cid:96) be a location of a linear timed automaton,let v and v be two clock valuations such that P i ( (cid:96), v ) and P i ( (cid:96), v ) are finite.Let λ ∈ [0; 1] , and v λ = λ · v + (1 − λ ) · v . Then P i ( (cid:96), v λ ) ≥ λ · P i ( (cid:96), v ) + (1 − λ ) · P i ( (cid:96), v ) . The aim of the opponent being to select the valuation in V = { v + δ [ r → | ≤ δ ≤ d } that minimizes the permissiveness. Writing v = v [ r →
0] and v = v + d [ r → V = { λv + (1 − λ ) v | ≤ λ ≤ } . Proposition 12entails that the permissiveness is minimized either in v or in v . This correspondsto our claim that the best choice for the opponent always is to select one of thebounds of the interval proposed by the player. Corollary 13.
Let (cid:96) be a location of a linear timed automaton, v and v (cid:48) be twoclock valuations, λ ∈ [0; 1] , and v λ = λ · v + (1 − λ ) · v (cid:48) . Then for all i : P i ( (cid:96), v λ ) ≥ min {P i ( (cid:96), v ) , P i ( (cid:96), v (cid:48) ) } . In particular, for any valuation v , any bounded interval [ α, β ] , and any transition (cid:96) g,a,r −−−→ (cid:96) (cid:48) : inf {P i ( (cid:96) (cid:48) , v (cid:48) ) | ∃ d ∈ [ α, β ] . ( (cid:96), v ) d,a −−→ ( (cid:96) (cid:48) , v (cid:48) ) } = min {P i ( (cid:96) (cid:48) , v (cid:48) α ) , P i ( (cid:96) (cid:48) , v (cid:48) β ) } where ( (cid:96), v ) α,a −−→ ( (cid:96) (cid:48) , v (cid:48) α ) and ( (cid:96), v ) β,a −−→ ( (cid:96) (cid:48) , v (cid:48) β ) . Now that we have a better understanding of the optimal strategy of the opponent,we can compute the most-permissive strategy of the player for reaching the targetlocation (cid:96) f . We prove that for all i , P i is in fact a piecewise-affine function thatcan be computed in doubly-exponential time.First notice that, following Lemma 7, for any location (cid:96) of a linear timedautomaton with n locations, the sequence of functions ( P i ) i converges in atmost n steps. Theorem 14.
The permissiveness function for a linear timed automaton with d locations and n clocks is a piecewise-affine function. It can be computed in time O (( n + 1) d ) . he following technical lemma will be the central tool in the computationof P i : Lemma 15.
Let m α ≤ M α and m β ≤ M β , and D = { ( α, β ) ∈ R ≥ | m α ≤ α ≤ M α , m β ≤ β ≤ M β , α ≤ β } . Let f : α (cid:55)→ aα + b and g : β (cid:55)→ cβ + d be two1-dimensional affine functions, and µ : ( α, β ) (cid:55)→ min { β − α, f ( α ) , g ( β ) } . Thenthe maximal value that µ may take over D is of one of the following five forms: M β − m α , λ · f ( ν ) , λ · g ( µ ) , ad − bca − c and ad − bc ( a +1)(1 − c ) − , with λ ∈ { , − c , a +1 } and ν ∈ { m α , M α , m β , M β } . This value can be computed by checking inequalitiesbetween expressions of the same forms. The following lemma corresponds to one step of our inductive computationof P i : Lemma 16.
Let A be a linear timed automaton with n clocks. Let ( (cid:96), g, a, z, (cid:96) (cid:48) ) bea transition of A , and assume that v (cid:55)→ P i − ( (cid:96) (cid:48) , v ) is piecewise affine, with m cells.Then v (cid:55)→ P i ( (cid:96), v ) is piecewise affine. It can be computed in time O ( m · ( m + n ) ) .It can be defined using a polyhedral partition of size O ( m · ( m + n ) ) , and withcoefficients polynomial in those of P i − .Proof. We assume that P i − ( (cid:96) (cid:48) , v ) is not constantly −∞ (if it were the case, thenalso P i ( (cid:96), v ) = −∞ for all v ). Similarly, we assume that moves ( (cid:96), v ) is non-emptyfor some v . Since v (cid:55)→ P i − ( (cid:96) (cid:48) , v ) is piecewise-affine: we can then fix a polyhedralpartition (cid:74) Φ, P (cid:75) and, for each cell h in this partition, an affine functions f h , suchthat P i − ( (cid:96) (cid:48) , v ) = f h ( v ) for the only cell h containing v .Our procedure for computing P i in (cid:96) consists in listing the possible pairs ofcells defining P i − in (cid:96) (cid:48) where the left- and right-bounds of the interval to beproposed lie. For each pair ( h α , h β ) of such cells, we perform the following threesteps (illustrated on Figure 2): – characterize the set S ( h α ,h β ) of all valuations from which those cells can bereached by taking the transition from (cid:96) to (cid:96) (cid:48) . We compute this polyhedronusing quantifier elimination; h β h α S ( h α ,h β ) h β h α v I vα I vβ h β h α v interval tobe played Fig. 2.
Three steps of our procedure: S ( h α ,h β ) ; then compute expressions for I vα and I vβ (notice that we had to refine S ( h α ,h β ) , because the expression for I vβ would be differentfor the lower part of S ( h α ,h β ) since it ends of a different facet of h β ); finally select bestvalues for α and β . compute the ranges for α and β that can be played in order to indeed end uprespectively in h α and h β . These are intervals I α and I β , whose bounds areexpressed as functions of v . Computing these bounds may require refiningthe polyhedron obtained at the previous step into several subpolyhedra, inorder to express them as affine functions of v ∈ S ( h α ,h β ) ; – for each subpolyhedron, compute the optimal values for α and β : followingCorollary 13, this amounts to find values for α ∈ I α and β ∈ I β that maximizethe following function: µ : ( α, β ) (cid:55)→ min { β − α ; P i − ( (cid:96) (cid:48) , ( v + α )[ z → P i − ( (cid:96) (cid:48) , ( v + β )[ z → } . This is performed by applying our technical Lemma 15; it may again requireanother refinement of the subpolyhedra, and returns an affine function foreach subpolyhedron.For each pair ( h α , h β ), we end up with a (partial) piecewise-affine function,defined on S ( h α ,h β ) , returning the optimal permissiveness that can be obtained ifplaying interval [ α, β ] such that taking the transition to (cid:96) (cid:48) after delay α (resp. β )leads to h α (resp. h β ). Our final step to compute P i in (cid:96) consists in taking themaximum of all these partial functions on their (possibly overlapping) domains;this may introduce on more refinement of our polyhedron.Notice that all these computations are performed symbolically w.r.t v : we ma-nipulate affine functions of v , with conditions on v for our computations to bevalid. (cid:3) Assuming that v (cid:55)→ P i − ( (cid:96) (cid:48) , v ) has m cells, computing v (cid:55)→ P i ( (cid:96), v ) takestime O ( m · ( m + n ) ), where n is the number of clocks, and this function has O ( m · ( m + n ) ) many cells.It follows that, for a linear timed automaton having d locations, we obtainthe permissiveness function in the initial state as a piecewise-affine function intime O (( n + 1) d ), which proves Theorem 14.This complexity is quite high, but it is a rough approximation.In Appendix C, we develop a complete computation of P i on the linear timedautomaton of Fig. 3 (which only differs from the example of Fig. 1 in the guardof the first transition); in this computation, we have many intermediary cases tohandle, but the final function P in (cid:96) , depicted on Fig. 4, has a partition withonly four cells (in the winning zone). We extend the previous study to the case of acyclic timed automata (withbranching). In that case, we can still apply our inductive approach, with a fewchanges: at each step, we would compute the optimal move of the player for eachsingle action, and then select the optimal action by “superimposing” the resultingpermissiveness functions and selecting the action that maximizes permissiveness. (cid:96) (cid:96) f ≤ y ≤ y :=0 1 ≤ x ≤ ≤ y ≤ Fig. 3.
Automaton of Fig. 1 where the guard on the first transition has been slightlyextended xy
00 11 22 23 1 − x − y x − y −∞ −∞ Fig. 4.
Permissiveness function of the automaton of Fig. 3 in (cid:96) This however breaks the result of Prop. 12: the maximum of two concave functionsneed not be concave. Example 2, derived from Example 1, displays an examplewhere the permissiveness function is not concave.
Example 2.
Consider the automaton of Fig 5. The transition from (cid:96) to (cid:96) f hasthe same constraint as that from (cid:96) to (cid:96) f ; hence the permissiveness offered bythat action is the same as the one from (cid:96) , which we already computed. Hencethe global permissiveness from (cid:96) is the (pointwise) maximal of the two piecewise-affine functions displayed on Fig. 1, which is depicted on Fig. 5. On this diagram,the blue area corresponds to points from where it is better (or only possible) togo via (cid:96) , while the red area corresponds to valuations from where it is better(or only possible) to take the bottom transition.We prove by induction that the permissiveness functions still are piecewise-affine in that setting. Hence all four steps of our proof of Lemma 16 still apply,with some adaptations. For each location (cid:96) , for each transition t from (cid:96) to some (cid:96) (cid:48) ,the procedure now is as follows: – for the first step, we again consider two cells h α and h β in the partitiondefining P i − ( (cid:96) (cid:48) ), together with a set H of cells that will be visited between h α and h β . Again applying Fourier-Motzkin, we get a polyhedron S ( h α ,h β ,H ) ofvaluations from which those cells can indeed be visited; – the computation of the intervals I vα and I vβ is unchanged; – for each cell h ∈ H , we can compute the values d in h and d out h for which( v + d in h )[ z →
0] enters h and ( v + d out h )[ z →
0] leaves h (notice that this mayrequire further refinement of the polyhedron being considered). Since P i − isaffine on cell h , it reaches its maximum on this cell either at ( v + d in h )[ z → (cid:96) (cid:96) f ≤ x ≤ ∧ ≤ y ≤ y :=0 1 ≤ x ≤ ∧ ≤ y ≤ ≤ x ≤ ∧ ≤ y ≤ xy
00 11 212 − x − y x − y x − y − x − y −∞ −∞ x y permissiveness − x − y Fig. 5.
A timed automaton and its (non-concave) permissiveness function in (cid:96) or at ( v + d out h )[ z → µ (cid:48) : ( α, β ) (cid:55)→ min( { β − α, P i − ( (cid:96) (cid:48) , ( v + α )[ z → , P i − ( (cid:96) (cid:48) , ( v + β )[ z → }∪{P i − ( (cid:96) (cid:48) , ( v + d in h )[ z → , P i − ( (cid:96) (cid:48) , ( v + d out h )[ z → | h ∈ H } ) . Now, we notice that all values in the second set are constant, not dependingon α and β . We can thus still apply Lemma 15 in order to maximize µ ( α, β ),and then take the above constants into account (which may again refine thepolyhedra). – the above three steps have to be performed for all outgoing transitions fromthe location (cid:96) being considered. The last step still consists in selecting themaximum of all the resulting functions.The complexity of our procedure is much higher than that of linear automata:because we consider sets of cells already at the first step, we have O (2 m ) setsto consider. Assuming that P i − is made of m cells, we may end up with P i having more than 2 m cells. Since we have to repeat this procedure up to | T | times, so that the time complexity is in O ( | T |
2) (where n a is tetration). Henceour procedure is non-elementary in the worst case. In the end: Theorem 17.
The permissiveness function for acyclic timed automata is piece-wise affine. It can be computed in non-elementary time.
We finally extend our approach to (acyclic) two-player turn-based timed games.This setting is easily seen to preserve piecewise-affineness of the permissivenessfunction. Indeed, in order to compute P i in a location (cid:96) belonging to the opponent,t suffices to first compute the functions P (cid:96) → (cid:96) (cid:48) i for all outgoing transitions from (cid:96) to some (cid:96) (cid:48) ; this follows the same procedure as above, and results in a piecewise-affine function, assuming (inductively) that P i − is piecewise affine. We thencompute the (still piecewise-affine) minimum M i ( (cid:96), v ) of all those functions, andfinally P i ( (cid:96), v ) = min d s.t. v + d | = Inv ( (cid:96) ) M i ( (cid:96), v + d )which is easily computed and remains piecewise-affine. The computation forlocations that belong to the player is similar as in the case of plain timedautomata. It follows: Theorem 18.
The permissiveness function for acyclic turn-based timed gamesis piecewise affine, and can be computed in non-elementary time.
In this paper, we addressed the problem of measuring the amount of precisionneeded in a timed automaton to reach a given target location. We built on theformalism of permissive strategies defined in [BFM15], and developed an algorithmfor computing the optimal permissiveness in acyclic timed automata and games.There are several directions in which we will extend this work: as a first task,we will have a closer look at the complexity of our procedure, trying to either findexamples where the number of cells indeed grows exponentially (for linear timedautomata) or exponentially at each step (for acyclic timed automata). A naturalcontinuation of our work consists in tackling cycles. We were unable to proveour intuition that there is no reason for the player to iterate a cycle. Follow-ing [BGMRS19], we might first consider fixing a timed automaton made of a singlecycle, study how permissiveness evolves along one run in this cycle, and computethe optimal permissiveness for being able to take a cycle forever. Exploiting2-Lipschitz continuity of the permissiveness function, we could also develop approx-imating techniques, both for making our computations more efficient in the acycliccase and to handle cycles. Finally, other interesting directions include extendingour approach to linear hybrid automata, or considering a stochastic opponent,thereby modelling the fact that perturbations need not always be antagonist.
References [AD94] Rajeev Alur and David L. Dill. A theory of timed automata.
TheoreticalComputer Science , 126(2):183–235, April 1994.[BCD +
07] Gerd Behrmann, Agn`es Cougnard, Alexandre David, Emmanuel Fleury,Kim Guldstrand Larsen, and Didier Lime. UPPAAL-Tiga: Time for play-ing games! In Werner Damm and Holger Hermanns, editors,
Proceedingsof the 19th International Conference on Computer Aided Verification(CAV’07) , volume 4590 of
Lecture Notes in Computer Science , pages121–125. Springer-Verlag, July 2007.BDL +
06] Gerd Behrmann, Alexandre David, Kim Guldstrand Larsen, JohnH˚akansson, Paul Pettersson, Wang Yi, and Martijn Hendriks. Uppaal 4.0.In
Proceedings of the 3rd International Conference on Quantitative Eval-uation of Systems (QEST’06) , pages 125–126. IEEE Comp. Soc. Press,September 2006.[BDM +
98] Marius Bozga, Conrado Daws, Oded Maler, Alfredo Olivero, StavrosTripakis, and Sergio Yovine. Kronos: A model-checking tool for real-time systems. In Alan J. Hu and Moshe Y. Vardi, editors,
Proceedingsof the 10th International Conference on Computer Aided Verification(CAV’98) , volume 1427 of
Lecture Notes in Computer Science , pages546–550. Springer-Verlag, June-July 1998.[BFM15] Patricia Bouyer, Erwin Fang, and Nicolas Markey. Permissive strategiesin timed automata and games. In Gudmund Grov and Andrew Ireland,editors,
Proceedings of the 15th International Workshop on AutomatedVerification of Critical Systems (AVOCS’15) , volume 72 of
ElectronicCommunications of the EASST . European Association of Software Scienceand Technology, September 2015.[BGMRS19] Damien Busatto-Gaston, Benjamin Monmege, Pierre-Alain Reynier, andOcan Sankur. Robust controller synthesis in timed bchi automata: A sym-bolic approach. In I¸sil Dillig and Serdar Ta¸siran, editors,
Proceedingsof the 31st International Conference on Computer Aided Verification(CAV’19) , volume 11561 of
Lecture Notes in Computer Science , pages572–590. Springer-Verlag, July 2019.[BMS15] Patricia Bouyer, Nicolas Markey, and Ocan Sankur. Robust reachabilityin timed automata and games: A game-based approach.
TheoreticalComputer Science , 563:43–74, January 2015.[CJMM20] Emily Clement, Thierry J´eron, Nicolas Markey, and David Mentr´e. Com-puting maximally-permissive strategies in acyclic timed automata. Tech-nical Report 2007.01815, arXiv, 2020.[DDMR04] Martin De Wulf, Laurent Doyen, Nicolas Markey, and Jean-Fran¸coisRaskin. Robustness and implementability of timed automata. In YassineLakhnech and Sergio Yovine, editors,
Proceedings of the Joint Interna-tional Conferences on Formal Modelling and Analysis of Timed Systems(FORMATS’04) and Formal Techniques in Real-Time and Fault-TolerantSystems (FTRTFT’04) , volume 3253 of
Lecture Notes in Computer Sci-ence , pages 118–133. Springer-Verlag, September 2004.[GHJ97] Vineet Gupta, Thomas A. Henzinger, and Radha Jagadeesan. Robusttimed automata. In Oded Maler, editor,
Proceedings of the 1997 Interna-tional Workshop on Hybrid and Real-Time Systems (HART’97) , volume1201 of
Lecture Notes in Computer Science , pages 331–345. Springer-Verlag, March 1997.[HPT19] Fr´ed´eric Herbreteau, G´erald Point, and Thanh-Tung Tran. Tchecker, anopen-source model-checker for timed systems, 2019.[Pur00] Anuj Puri. Dynamical properties of timed systems.
Discrete EventDynamic Systems , 10(1-2):87–113, January 2000.[SBMR13] Ocan Sankur, Patricia Bouyer, Nicolas Markey, and Pierre-Alain Reynier.Robust controller synthesis in timed automata. In Pedro R. D’Argenioand Hern´an C. Melgratt, editors,
Proceedings of the 24th InternationalConference on Concurrency Theory (CONCUR’13) , volume 8052 of
Lec-ure Notes in Computer Science , pages 546–560. Springer-Verlag, August2013.
Proofs of Section 2
This section is devoted to the proofs of the lemma of Section 2.
Lemma 6.
For any ( (cid:96), v ) , the sequence ( P i ( (cid:96), v )) i ∈ N is nondecreasing.Proof. The proof is by induction. For any configuration ( (cid:96), v ), either P ( (cid:96), v ) = P ( (cid:96), v ) = + ∞ , or P ( (cid:96), v ) = −∞ . In both cases, P ( (cid:96), v ) ≤ P ( (cid:96), v ).Then, assuming P i ( (cid:96), v ) ≤ P i +1 ( (cid:96), v ) for all ( (cid:96), v ), we directly get the sameproperty at step i + 1. The result follows. (cid:3) Lemma 7.
If the longest path from (cid:96) to (cid:96) f has at most i transitions, then forany v and any j ≥ , it holds P i + j ( (cid:96), v ) = P i ( (cid:96), v ) .Proof. By induction on i : for i = 0, only (cid:96) f satisfies the condition, and the resultholds by definition of P i for (cid:96) f .Now, assume that the result holds for some index i , and consider a location (cid:96) such that the longest path to (cid:96) f has at most i + 1 transitions. Then any successorlocation (cid:96) (cid:48) of (cid:96) has longest path of length at most i , hence P i ( (cid:96) (cid:48) , v ) = P i +1 ( (cid:96) (cid:48) , v ).It immediately follows that P i +1 ( (cid:96), v ) = P i ( (cid:96), v ) for any v . (cid:3) Lemma 9.
Let A be a timed automaton, with maximal constant M . Let (cid:96) be alocation, and i ∈ N . Take two valuations v and v (cid:48) such that, for any clock c , wehave either v ( c ) = v (cid:48) ( c ) , or v ( c ) > M and v (cid:48) ( c ) > M . Then P i ( (cid:96), v ) = P i ( (cid:96), v (cid:48) ) .Proof. The hypotheses ensure that any action- and delay transition performedfrom ( (cid:96), v ) can be performed from ( (cid:96), v (cid:48) ), and the resulting configurations stillsatisfy the conditions of the lemma. The result follows by induction. (cid:3)
Lemma 11.
Let ( (cid:96), v ) be a configuration, t ∈ R ≥ such that ( (cid:96), v + t ) is aconfiguration of the automaton, and i ∈ N . Then P i ( (cid:96), v ) − t ≤ P i ( (cid:96), v + t ) ≤P i ( (cid:96), v ) .Proof. For any move (
I, a ) that is available from ( (cid:96), v + t ), the move ( I + t, a ) isavailable from ( (cid:96), v ). Moreover, the set of valuations on which P i − is minimizedis the same in both cases, namely { ( v + t [ z → | d ∈ I } . It follows that P i ( (cid:96), v + t ) ≤ P i ( (cid:96), v ).Conversely, for any move ( I, a ) available from ( (cid:96), v ) with | I | ≥ t (if any), themove (( I − t ) ∩ R ≥ , a ) is a valid (non-empty) move from ( (cid:96), v + t ). The secondinequality follows. (cid:3) Finally, to prove proposition 10, we use the following lemmas:
Lemma 19.
Let v and v (cid:48) be two clock valuations. Write η = (cid:107) v (cid:48) − v (cid:107) ∞ . If ([ α, β ] , a ) ∈ moves ( (cid:96), v ) with β − α ≥ η , then ([ α + η, β − η ] , a ) ∈ moves ( (cid:96), v (cid:48) ) .roof. For any clock c , 0 ≤ v ( c ) + α = v (cid:48) ( c ) + α + ( v ( c ) − v (cid:48) ( c )) ≤ v (cid:48) ( c ) + α + η .Similarly, v ( c )+ β = v (cid:48) ( c )+ β +( v ( c ) − v (cid:48) ( c )) ≥ v (cid:48) ( c )+ β − η . Then for any interval J ,if v ( c )+[ α, β ] ⊆ J , and also v (cid:48) ( c )+[ α + η, β − η ] ⊆ J . It follows that for any guard g ,if v +[ α, β ] ⊆ g with β − α ≥ (cid:107) v (cid:48) − v (cid:107) ∞ , then v (cid:48) +[ α + (cid:107) v (cid:48) − v (cid:107) ∞ , β −(cid:107) v (cid:48) − v (cid:107) ∞ ] ⊆ g . (cid:3) Corollary 20.
For any integer i ∈ N and any location (cid:96) , the function ν (cid:96) : v (cid:55)→ sup ( I,a ) ∈ moves ( (cid:96),v ) | I | is -Lipschitz continuous on the set { v | moves ( (cid:96), v ) (cid:54) = ∅ } .Proof. We first prove the result for the case where location (cid:96) has a single transi-tion ( (cid:96), g, a, z, (cid:96) (cid:48) ). Take two valuations v and v (cid:48) for which moves ( (cid:96), v ) is non-empty.We prove that ν (cid:96) ( v (cid:48) ) − ν (cid:96) ( v ) ≥ − (cid:107) v (cid:48) − v (cid:107) ∞ . By symmetry of the roles of v and v (cid:48) , our result (for a single outgoing transition) follows.First, if moves ( (cid:96), v ) contains no intervals of size at least 2 (cid:107) v (cid:48) − v (cid:107) ∞ , thenobviously ν (cid:96) ( v (cid:48) ) − ν (cid:96) ( v ) ≥ − (cid:107) v (cid:48) − v (cid:107) ∞ .Now, assume that there exists [ α, β ] ∈ moves ( (cid:96), v ) such that β − α ≥ (cid:107) v (cid:48) − v (cid:107) ∞ .By Lemma 19, for any such interval, the interval [ α + (cid:107) v (cid:48) − v (cid:107) ∞ , β − (cid:107) v (cid:48) − v (cid:107) ∞ ] ∈ moves ( (cid:96), v (cid:48) ).Fix ε >
0, and take I = [ α, β ] ∈ moves ( (cid:96), v ) such that | I | ≥ ν (cid:96) ( v ) − ε . Since[ α + (cid:107) v (cid:48) − v (cid:107) ∞ , β − (cid:107) v (cid:48) − v (cid:107) ∞ ] ∈ moves ( (cid:96), v (cid:48) ), it follows ν (cid:96) ( v (cid:48) ) ≥ ν (cid:96) ( v ) − (cid:107) v (cid:48) − v (cid:107) ∞ − ε . Since this holds for any ε >
0, we get the announced inequality.Now, in case there are several outgoing transitions, we have ν (cid:96) ( v ) = sup ( I,a ) ∈ moves ( (cid:96),v ) | I | = max a ∈ Σ sup ( I,a ) ∈ moves ( (cid:96),v ) | I | . Hence ν (cid:96) is the pointwise maximum of 2-Lipschitz continuous functions, hence itis 2-Lipschitz continuous. (cid:3) Proposition 10.
For any integer i ∈ N and any location (cid:96) , the function τ (cid:96) : v (cid:55)→P i ( (cid:96), v ) is -Lipschitz on the set of valuations where it takes finite values.Proof. The proof is again by induction on i . The case of i = 0 is trivial. Corollary 20proves the result for i = 1.Now, assume that the result holds for some index i −
1. Take a location (cid:96) ,and again first assume that (cid:96) has a single outgoing transition ( (cid:96), g, a, z, (cid:96) (cid:48) ). As inthe previous proof, the result for the general case directly follows.Pick two valuations v and v (cid:48) such that P i ( (cid:96), v ) and P i ( (cid:96), v (cid:48) ) are finite. In par-ticular, moves ( (cid:96), v ) and moves ( (cid:96), v (cid:48) ) are non-empty. We follow the same approachas in the proof of Corollary 20, proving that τ (cid:96) ( v (cid:48) ) − τ (cid:96) ( v ) ≥ − (cid:107) v (cid:48) − v (cid:107) ∞ .By symmetry, our result follows.Again, in case moves ( (cid:96), v ) contains no intervals of size larger than or equalto (cid:107) v (cid:48) − v (cid:107) ∞ , the result is immediate. Otherwise, fix ε >
0, and take an interval I =[ α, β ] such thatmin( | I | , inf d ∈ I ( P i − ( (cid:96) (cid:48) , ( v + d )[ z → ≥ τ (cid:96) ( v ) − ε. hen | I | ≥ τ ( v ) − ε and for any d ∈ I , P i − ( (cid:96) (cid:48) , ( v + d )[ z → ≥ τ (cid:96) ( v ) − ε .Let I (cid:48) = [ α + (cid:107) v (cid:48) − v (cid:107) ∞ , β − (cid:107) v (cid:48) − v (cid:107) ∞ ]. Then | I (cid:48) | ≥ | I | − (cid:107) v (cid:48) − v (cid:107) ∞ ≥ τ (cid:96) ( v ) − ε − (cid:107) v (cid:48) − v (cid:107) ∞ . Moreover, since I (cid:48) ⊆ I , we have P i − ( (cid:96) (cid:48) , ( v + d )[ z → ≥ τ (cid:96) ( v ) − ε alsowhen d ∈ I (cid:48) . Additionally, for any d ∈ I (cid:48) , (cid:107) ( v (cid:48) + d )[ z → − ( v + d )[ z → (cid:107) ∞ ≤ (cid:107) v (cid:48) − v (cid:107) ∞ , so that P i − ( (cid:96) (cid:48) , ( v + d )[ z → − P i − ( (cid:96) (cid:48) , ( v (cid:48) + d )[ z → ≤ (cid:107) ( v (cid:48) + d )[ z → − ( v + d )[ z → (cid:107) ∞ ≤ (cid:107) v (cid:48) − v (cid:107) ∞ . Thus for any d ∈ I (cid:48) , P i − ( (cid:96) (cid:48) , ( v (cid:48) + d )[ z → ≥ P i − ( (cid:96) (cid:48) , ( v + d )[ z → − (cid:107) v (cid:48) − v (cid:107) ∞ ≥ τ (cid:96) ( v ) − ε − (cid:107) v (cid:48) − v (cid:107) ∞ . Since also | I (cid:48) | ≥ τ (cid:96) ( v ) − ε − (cid:107) v (cid:48) − v (cid:107) ∞ , we get τ (cid:96) ( v (cid:48) ) ≥ min( | I (cid:48) | , inf d ∈ I (cid:48) ( P i − ( (cid:96) (cid:48) , ( v (cid:48) + d )[ z → ≥ τ (cid:96) ( v ) − ε − (cid:107) v (cid:48) − v (cid:107) ∞ . (cid:3) B Proofs of Section 3
B.1 Proof of Proposition 12 and Corollary 13Proposition 12.
Let i ∈ N . Let (cid:96) be a location of a linear timed automaton,let v and v be two clock valuations such that P i ( (cid:96), v ) and P i ( (cid:96), v ) are finite.Let λ ∈ [0; 1] , and v λ = λ · v + (1 − λ ) · v . Then P i ( (cid:96), v λ ) ≥ λ · P i ( (cid:96), v ) + (1 − λ ) · P i ( (cid:96), v ) . Proof.
The proof is by induction on i : it is trivial for i = 0, since P ( (cid:96), v ) doesnot depend on v . Assume that the result holds true for P i , and consider P i +1 .Let (cid:96) be a state of the automaton, and ( (cid:96), g, a, r, (cid:96) (cid:48) ) be its unique outgoingtransition. Let ( I j , a ) ∈ moves ( (cid:96), v j ) for j ∈ { , } . By definition of moves , for j ∈ { , } we then have v j + d j | = g for any d j ∈ I j . We can then define theset I λ = { λd + (1 − λ ) d | d ∈ I , d ∈ I } . Moreover, pick any d λ ∈ I λ : then d λ = λ · d + (1 − λ ) · d for some d ∈ I and d ∈ I . Then v λ + d λ can bewritten as λ · ( v + d ) + (1 − λ ) · ( v + d ). Since both v + d and v + d satisfy guard g , by convexity of g , we have that v λ + d λ | = g . This proves that( I λ , a ) ∈ moves ( (cid:96), v λ ). Moreover | I λ | = λ · | I | + (1 − λ ) · | I | .ix ε >
0, and take two intervals I and I such that min( | I j | , inf {P i ( (cid:96) (cid:48) , ( v j + d j [ r → | d j ∈ I j } ) ≥ P i ( (cid:96), v j ) − ε for j ∈ { , } . Define I λ as above. Then: P i +1 ( (cid:96), v λ ) = sup ( I,a ) ∈ moves ( (cid:96),v λ ) min( | I | , inf {P i ( (cid:96) (cid:48) , v (cid:48) ) | ∃ d ∈ I. ( (cid:96), v ) d,a −−→ ( (cid:96) (cid:48) , v (cid:48) ) } ) ≥ min( | I λ | , inf {P i ( (cid:96) (cid:48) , v (cid:48) λ ) | ∃ d λ ∈ I λ . ( (cid:96), v λ ) d λ ,a −−−→ ( (cid:96) (cid:48) , v (cid:48) λ ) } )(because the supremum over all moves is larger than orequal to the value for the particular move ( I λ , a ))= min( | I λ | , inf {P i ( (cid:96) (cid:48) , ( v λ + d λ )[ r → | d λ ∈ I λ } )(by expanding the effect of transition ( (cid:96), g, a, r, (cid:96) (cid:48) )= min( | I λ | , inf {P i ( (cid:96) (cid:48) , ( λ · ( v + d ) + (1 − λ ) · ( v + d ))[ r → | d ∈ I , d ∈ I } )(by defintion of I λ )= min( | I λ | , inf {P i ( (cid:96) (cid:48) , ( λ · (( v + d )[ r → − λ ) · (( v + d ))[ r → | d ∈ I , d ∈ I } )(by linearity of projection) ≥ min( | I λ | , inf { λ · ( P i ( (cid:96) (cid:48) , ( v + d )[ r → − λ ) · P i ( (cid:96) (cid:48) , ( v + d )[ r → | d ∈ I , d ∈ I } )(by induction hypothesis)= min( λ · | I | + (1 − λ ) | I | , λ · inf {P i ( (cid:96) (cid:48) , ( v + d )[ r → | d ∈ I } +(1 − λ ) · inf {P i ( (cid:96) (cid:48) , ( v + d )[ r → | d ∈ I } ) ≥ λ · min( | I | , inf {P i ( (cid:96) (cid:48) , ( v + d [ r → | d ∈ I } )+(1 − λ ) · min( | I | , inf {P i ( (cid:96) (cid:48) , ( v + d )[ r → | d ∈ I } ))(as min( a + b, a (cid:48) + b (cid:48) ) ≥ min( a, a (cid:48) ) + min( b, b (cid:48) )) ≥ λ · P i +1 ( (cid:96), v ) + (1 − λ ) · P i +1 ( (cid:96), v ) − ε. Since this holds for any ε >
0, our result follows. (cid:3)
Corollary 13.
Let (cid:96) be a location of a linear timed automaton, v and v (cid:48) be twoclock valuations, λ ∈ [0; 1] , and v λ = λ · v + (1 − λ ) · v (cid:48) . Then for all i : P i ( (cid:96), v λ ) ≥ min {P i ( (cid:96), v ) , P i ( (cid:96), v (cid:48) ) } . In particular, for any valuation v , any bounded interval [ α, β ] , and any transition (cid:96) g,a,r −−−→ (cid:96) (cid:48) : inf {P i ( (cid:96) (cid:48) , v (cid:48) ) | ∃ d ∈ [ α, β ] . ( (cid:96), v ) d,a −−→ ( (cid:96) (cid:48) , v (cid:48) ) } = min {P i ( (cid:96) (cid:48) , v (cid:48) α ) , P i ( (cid:96) (cid:48) , v (cid:48) β ) } where ( (cid:96), v ) α,a −−→ ( (cid:96) (cid:48) , v (cid:48) α ) and ( (cid:96), v ) β,a −−→ ( (cid:96) (cid:48) , v (cid:48) β ) .roof. The fact that P i ( (cid:96), v λ ) ≥ min {P i ( (cid:96), v ) , P i ( (cid:96), v (cid:48) ) } is a direct consequenceof Proposition 12.Additionally, we haveinf {P i ( (cid:96) (cid:48) , v (cid:48) ) | ∃ d ∈ [ α, β ] . ( (cid:96), v ) d,a −−→ ( (cid:96) (cid:48) , v (cid:48) ) } =inf {P i ( (cid:96) (cid:48) , v (cid:48) ) | ∃ λ ∈ [0 , . v (cid:48) = λ · v (cid:48) α + (1 − λ ) · v (cid:48) β } because ( v +( λα +(1 − λ ) β ))[ r →
0] = λ (cid:0) ( v + α )[ r → (cid:1) +(1 − λ ) (cid:0) ( v + β )[ r → (cid:1) .The second claim follows. (cid:3) B.2 Proof of lemma 16
For this proof, we use a more precise definition of piecewise-affine functions:
Definition 21.
Let n ∈ N . An n -dimensional piecewise-affine function is amapping f : R n ≥ → R for which there exist – a finite family of n -dimensional linear functions Φ = ( ϕ k ) ≤ k ≤ m , and a finitefamily of finite partitions P = ( P k ) ≤ k ≤ m of R ; these define the followingpartition of R n ≥ into convex polyhedra (some of which may be empty): (cid:74) Φ, P (cid:75) = { (cid:74) Φ, b (cid:75) | b = ( b k ) ≤ k ≤ m s.t. for all ≤ k ≤ m, b k ∈ P k } . – for each convex polyhedron h of (cid:74) Φ, P (cid:75) , an affine function f h , which we writeas f h ( v ) = F h + (cid:80) ≤ k ≤ n F hk · v k ;s.t. for all v ∈ R n ≥ , f ( v ) = f h ( v ) for the unique cell h of (cid:74) Φ, P (cid:75) containing v .Example 3. We consider the 2-dimensional affine function f displayed on Fig. 6.Its underlying partition can be defined using two linear functions: – ϕ : ( x, y ) (cid:55)→ y , associated with the partition P = { ( −∞ ; 1] , (1; + ∞ ) } ; – ϕ : ( x, y ) (cid:55)→ x − P = { ( −∞ ; 0] , (0; 1] , (1; + ∞ ) } . y x
10 0 1 2 3 x − yx + y −∞ C C C C C C Fig. 6.
An example of a 2-dimensional piecewise-affine function
This defines a partition of R ≥ into six cells: on three of them (namely C , C and C ), for which ϕ ( x, y ) ∈ (1; + ∞ ), our piecewise-affine function f constantlyequals −∞ ; for the other three cells: in C = { ( x, y ) | ϕ ( x, y ) ∈ ( −∞ ; 1] and ϕ ( x, y ) ∈ ( −∞ ; 0] } , the affinefunction f C coincides with ( x, y ) (cid:55)→ x + y ; – in C = { ( x, y ) | ϕ ( x, y ) ∈ ( −∞ ; 1] and ϕ ( x, y ) ∈ (0; 1] } , the affine func-tion f C coincides with ( x, y ) (cid:55)→ y ; – in C = { ( x, y ) | ϕ ( x, y ) ∈ ( −∞ ; 1] and ϕ ( x, y ) ∈ (1; + ∞ ) } , the affinefunction f C coincides with ( x, y ) (cid:55)→ x − Lemma 16.
Let A be a linear timed automaton with n clocks. Let ( (cid:96), g, a, z, (cid:96) (cid:48) ) bea transition of A , and assume that v (cid:55)→ P i − ( (cid:96) (cid:48) , v ) is piecewise affine, with m cells.Then v (cid:55)→ P i ( (cid:96), v ) is piecewise affine. It can be computed in time O ( m · ( m + n ) ) .It can be defined using a polyhedral partition of size O ( m · ( m + n ) ) , and withcoefficients polynomial in those of P i − .Proof. We assume that v (cid:55)→ P i − ( (cid:96) (cid:48) , v ) is not constantly −∞ (if it were thecase, then also P i ( (cid:96), v ) = −∞ for all v ). Similarly, we assume that moves ( (cid:96), v )is non-empty for some v . Since v (cid:55)→ P i − ( (cid:96) (cid:48) , v ) is piecewise-affine, we can thenfix a polyhedral partition (cid:74) Φ, P (cid:75) and, for each cell h in this partition, an affinefunctions f h , such that P i − ( (cid:96) (cid:48) , v ) = f h ( v ) for the only cell h containing v .Our procedure for computing P i in (cid:96) consists in listing the possible pairs ofcells defining P i − in (cid:96) (cid:48) where the left- and right-bounds of the interval to beproposed lie. Our approach thus consists in listing each such pair of (possiblyidentical) cells ( h α , h β ) in the partition defining P i − in (cid:96) (cid:48) , and – characterizing the set S ( h α ,h β ) of all valuations from which those cells can bereached by taking the transition from (cid:96) to (cid:96) (cid:48) . We compute this polyhedronusing quantifier elimination; – computing the ranges for α and β that can be played in order to indeed endup respectively in h α and h β . These are intervals I α and I β , whose boundsare expressed as functions of v . Computing these bounds may require refiningthe polyhedron obtained at the previous step into several subpolyhedra, inorder to express them as affine functions of v ∈ S ( h α ,h β ) ; – for each subpolyhedra, compute the optimal values for α and β : followingCorollary 13, this amounts to find values for α ∈ I α and β ∈ I β that maximizethe following function µ : ( α, β ) (cid:55)→ min { β − α ; P i − ( (cid:96) (cid:48) , ( v + α )[ z → P i − ( (cid:96) (cid:48) , ( v + β )[ z → } . This is performed by applying our technical Lemma 15; it may again requireanother refinement of the subpolyhedra, and returns an affine function foreach subpolyhedron.For each pair ( h α , h β ), we end up with a (partial) piecewise-affine function,defined on S ( h α ,h β ) , returning the optimal permissiveness that can be obtained ifplaying interval [ α, β ] such that taking the transition to (cid:96) (cid:48) after delay α (resp. β )eads to h α (resp. h β ). Our final step to compute P i in (cid:96) consists in taking themaximun of all these partial functions on their (possibly overlapping) domains.Notice that all these computations are performed symbolically w.r.t v : we ma-nipulate affine functions of v , with conditions on v for our computation to bevalid. Figure 7 illustrates the main three steps of this procedure. h β h α S ( h α ,h β ) h β h α v I vα I vβ h β h α v interval tobe played Fig. 7.
Three steps of our procedure: S ( h α ,h β ) ; then compute expressions for I vα and I vβ (notice that we had to refine S ( h α ,h β ) , because the expression for I vβ would be differentfor the lower part of S ( h α ,h β ) since it ends of a different facet of h β ); finally select bestvalues for α and β . We now detail the first three steps. For this, we fix to cells h α and h β ofthe partition defining P i − in (cid:96) (cid:48) . Following Definition 21, those cells can becharacterized by two families, ( b αj ) j and ( b βj ) j , of cells in P , such that h α = (cid:84) ≤ j ≤ m ϕ − j ( b αj ) and h β = (cid:84) ≤ j ≤ m ϕ − j ( b βj ). Computing S ( h α ,h β ) . We assume that the conjunction of the guard g andthe invariant I ( (cid:96) ) can be represented as the conjunction of one interval con-straint [ L c , U c ] per clock c . The set S ( h α ,h β ) of valuations that can reach h α and h β with delays α ≤ β (and after taking the transition to (cid:96) (cid:48) ) is defined asfollows: S h α ,h β = { v ∈ R n ≥ | ∃ ≤ α ≤ β. ∀ j. ϕ j ( v + α [ z → ∈ b αj and ϕ j ( v + β [ z → ∈ b βj and v + α ∈ g and v + β ∈ g } . Writing K j for the sum of all coefficients in the linear function ϕ j , and b αj = [ l αj , u αj ], condition ϕ j ( v + α [ z → ∈ b αj can be rewritten either as ϕ j ( v ) ∈ b αj if K j = 0, or as1 K j ( l αj − ϕ j ( v )) ≤ α ≤ K j ( u αj − ϕ j ( v ))otherwise. The same applies for β . Using Fourier-Motzkin quantifier elimination, S h α ,h β can be written as the conjunction of the following four sets of constraints: existence of α is expressed as the conjunction of at most ( m + n ) · ( m + n − • m · ( m −
1) conditions are of the form K j ( l αj − ϕ j ( v )) ≤ K j (cid:48) ( u αj (cid:48) − ϕ j (cid:48) ( v )).Notice that in those conditions, the coefficients of the linear functionssum up to zero (we name such linear functions diagonal in the sequel); • mn conditions of the form K j ( l αj − ϕ j ( v )) ≤ U c − v ( c ) and mn conditionsof the form L c − v ( c ) ≤ K j ( u αj − ϕ j ( v )). Again, this gives diagonal linearfunctions; • n · ( n −
1) conditions of the form L c − v ( c ) ≤ U c (cid:48) − v ( c (cid:48) ); These also giverise to diagonal affine functions; – existence of β is expressed similarly. In particular, it uses the same linearfunctions, which are all diagonal; – that α is nonnegative is expressed as the conjunction of K j ( u αj − ϕ j ( v )) ≥ j and U c − v ( c ) ≥ c ; – that α ≤ β is expressed as ( m + n ) · ( m + n −
1) constraints similar to thosein the first case. Again, no new linear functions are created in this step,compared to the previous ones, and only diagonal functions will be used.In the end we have 3( m + n )( m + n −
1) + ( m + n ) constraints (but definedwith at most ( m + n ) linear functions). Notice that at most m + n of thoselinear functions may be non-diagonal, and those non-diagonal functions directlyoriginate either from the guards or from the partition defining P i − in (cid:96) (cid:48) . Computing the range for the bounds α and β . In case S ( h α ,h β ) is non-empty, we proceed with computing the values for α and β that indeed lead to h α and h β . For any v ∈ S ( h α ,h β ) , the set I vα (resp. I vβ ) of values for α (resp. β ) forwhich v + α | = g and ( v + α )[ z → ∈ h α (resp. v + β | = g and ( v + β )[ z → ∈ h β )then is an interval: from the conditions above, these intervals can be written I vα = [ D vα , E vα ] with D vα = max (cid:18)(cid:110) K j ( l αj − ϕ j ( v )) | ≤ j ≤ m (cid:111) ∪ { L c − v ( C ) | c ∈ C} (cid:19) E vα = min (cid:18)(cid:110) K j ( u αj − ϕ j ( v )) | ≤ j ≤ m (cid:111) ∪ { U c − v ( C ) | c ∈ C} (cid:19) (and similarly for I β ). In order to have affine expressions for the bounds of I vα and I vβ , we refine S ( h α ,h β ) into cells on which one of the affine functions inthe expressions of D vα (resp. E vα ) realizes the maximum (resp. minimum). Thisrefinement is obtained by expressing the fact that the selected affine function isindeed larger than (resp. smaller than) all other functions. This may refine S ( h α ,h β ) into at most ( m + n ) cells, defined with diagonal linear functions alreadyintroduced at the previous step. Notice that the bounds of those intervals may be left- and/or right open; we onlyconsider closed intervals to not blur the focus of our presentation, but we couldhandle open intervals easily. omputing the optimal values for α and β . We let D = { ( α, β ) | α ∈ I vα , β ∈ I vβ , α ≤ β } . It remains to find the optimal choices for α and β , i.e., thevalues that maximizemin { β − α ; inf γ ∈ [ α ; β ] {P i − ( (cid:96) (cid:48) , ( v + γ )[ r → }} over D . Thanks to Corollary 13, this amounts to maximizing µ : ( α, β ) (cid:55)→ min { β − α ; P i − ( (cid:96) (cid:48) , ( v + α )[ z → P i − ( (cid:96) (cid:48) , ( v + β )[ z → } over that set. Since ( v + α )[ z → ∈ h α , we have P i − ( (cid:96) (cid:48) , ( v + α )[ z → f h α (( v + α )[ z → f h α is an n-dimensional affine function; writing F zh α for the sum of the coefficients of the clocks that are not reset in z (i.e., F zh α = f h α ( ) − f h α ( z )), we have f h α (( v + α )[ z →
0] = F zh α · α + f h α ( v [ z → β . We then have µ ( α, β ) = min { β − α ; F zh α · α + f h α ( v [ z → F zh β · β + f h β ( v [ z → } , which we want to minimize over D . In case I vβ is unbounded (which may occurwhen all upper bounds u βj and U c equal + ∞ ), by Lemma 9 we get that f h β isconstant, and we can choose β = + ∞ . It remains to maximize min { F zh α · α + f h α ( v [ z → , f h β ( v [ z → } when α ranges over I vα . Again, if I vα is unbounded, f h α is constant, and α can be chosen arbitrarily in I vα ; otherwise, the maximumis obtained at one of the bounds of I vα , depending on the sign of F zh α .Now, in case I vα and I vβ are bounded, we apply Lemma 15 and directly get theoptimal solution. This may again require refining the polyhedron being consideredinto at most 13 subpolyhedra, since there may be up to 13 different cases forminimizing µ ( α, β ) (see Appendix D). We the get the optimal values for α and β ,as well as the value of µ at that maximal point, depending on the signs of F zh α and F zh β . It can be checked that both the optimal choices for α and β , as wellas the resulting permissiveness function, are linear functions of v : indeed, in ourinstance of the problem of Lemma 15, a and c are constant, while b and d , and m x , M x , m y and M y are affine functions of v ; the latter may only be multipliedby constants, and/or added with one another.The coefficients of those affine functions can be computed from those of f h α and f h β , and from those of functions ( ϕ j ) j defining the partiiton of the piecewise-linear permissiveness function P i ( (cid:96) (cid:48) , v ): in the worst case, the numerators aremultipled by the sum of all coefficients, and the denominators may be multipliedby the product of two sums of coefficients. In any case, the space needed tostore one such function (assuming binary encoding) is at most linear in the spaceneeded to store P i − . The concludes the third step of our computation. Finalizing the computation of P i in (cid:96) . We now have a collection of affinefunctions (at most 13 m · ( m + n ) ), associated with a polyhedron on whichthey give a candidate expression for P i . The polyhedra may overlap, as for eachvaluation we considered m possible cells in which the valuation may end up.e thus have to refine one last time the partition we obtained, by consideringsubpolyhedra where one of the m candidate functions is larger than the otherones. This may further refine each cell into m subpolyhedra, defined with up to m new linear functions.In the end, this proves that the function P i in (cid:96) is piecewise affine, and that itcan be computed from P i − in time O ( m · ( m + n ) ). The partition defining P i in (cid:96) may have up to O ( m · ( m + n ) ) cells, defined with at most O (( m + n ) ) linearfunctions. The coefficients of the affine functions defining P i are polynomials inthe coefficients of the affine functions defining P i − . (cid:3) C Example of computation of permissiveness
Example 4.
We slightly modify the automaton of Fig. 1, by changing the guardon the first transition as displayed on Fig. 8. We develop the computation of thepermissiveness function for this automaton. (cid:96) (cid:96) (cid:96) f ≤ y ≤ y :=0 1 ≤ x ≤ ≤ y ≤ Fig. 8.
Automaton of Fig. 1 where the guard on the first transition has been slightlyextended
Obviously, function P ( (cid:96) ) = P ( (cid:96) ) is unchanged. We detail the computationof P ( (cid:96) ). Following the proof of Lemma 16, we list the pairs of possible cellswhere the automaton may enter (cid:96) after delays α and β : since the transitionto (cid:96) resets y , we have two possible cells, namely C = { ( x, | ≤ x ≤ } and C = { ( x, | < x ≤ } . Hence we have four possible situations to consider:1. both ( v + α )[ y →
0] and ( v + β )[ y →
0] in C ;2. both ( v + α )[ y →
0] and ( v + β )[ y →
0] in C ;3. ( v + α )[ y → ∈ C and ( v + β )[ y → ∈ C ;4. ( v + α )[ y → ∈ C and ( v + β )[ y → ∈ C .For each pair, we begin with computing the set of valuations v for whichthere are values 0 ≤ α ≤ β satisfying the conditions:1. having ( v + α )[ y →
0] and ( v + β )[ y →
0] in C can be written as ∃ α ≤ β. ≤ v ( y ) + α ≤ ∧ ≤ v ( y ) + β ≤ ∧ ≤ v ( x ) + α ≤ ∧ ≤ v ( x ) + β ≤ . For convenience in this 2-clock example, we may write valuations either as v or aspairs ( x, y ), depending on the situation. he constraints on y come from the guard of the transition, while thoseon x correspond to having the target valuations in C . In this simple case,quantifier elimination returns { ( x, y ) | ≤ x ≤ ∧ ≤ y ≤ } .2. having ( v + α )[ y →
0] and ( v + β )[ y →
0] in C translates to ∃ α ≤ β. ≤ v ( y ) + α ≤ ∧ ≤ v ( y ) + β ≤ ∧ < v ( x ) + α ≤ ∧ < v ( x ) + β ≤ . This results in { ( x, y ) | ≤ x ≤ ∧ ≤ y ≤ ∧ y ≤ x } .3. the case where ( v + α )[ y → ∈ C and ( v + β )[ y → ∈ C writes ∃ α ≤ β. ≤ v ( y ) + α ≤ ∧ ≤ v ( y ) + β ≤ ∧ ≤ v ( x ) + α ≤ ∧ < v ( x ) + β ≤ . This corresponds to { ( x, y ) | ≤ x ≤ ∧ ≤ y ≤ ∧ y ≤ x } .4. Finally, the situation where ( v + α )[ y → ∈ C and ( v + β )[ y → ∈ C translates as ∃ α ≤ β. ≤ v ( y ) + α ≤ ∧ ≤ v ( y ) + β ≤ ∧ < v ( x ) + α ≤ ∧ ≤ v ( x ) + β ≤ . This in particular requires 1 − v ( x ) < α and β ≤ − v ( x ), which areincompatible with the condition α ≤ β . Hence this case is empty.We now compute the intervals of possible values for α and β : this just amountsto writing the conditions for having v + α satisfy the guard and ( v + α )[ y → β ): – having ( v + α )[ y →
0] end up in C requires α ∈ [0; 1 − v ( x )] ∩ [0; 1 − v ( y )]; – having ( v + α )[ y →
0] end up in C requires α ∈ (1 − v ( x ); 2 − v ( x )] ∩ [0; 1 − v ( y )].We end up with the following situations:1. having both ( v + α )[ y := 0] and ( v + β )[ y := 0] in C can be performed from { ( x, y ) | ≤ x ≤ ∧ ≤ y ≤ } ; from that zone:(a) if x ≤ y , we have I vα = I vβ = [0; 1 − y ];(b) if x > y , we have I vα = I vβ = [0; 1 − x ].2. having both ( v + α )[ y := 0] and ( v + β )[ y := 0] in C can be performed from { ( x, y ) | ≤ x ≤ ∧ ≤ y ≤ ∧ y ≤ x } ; from that zone:(a) if x ≤ y < x , we have I vα = I vβ = (1 − x ; 1 − y ];(b) if 1 ≤ x ≤ y , we have I vα = I vβ = [0; 1 − y ];(c) if 1 + y ≤ x ≤
2, we have I vα = I vβ = [0; 2 − x ].3. having ( v + α )[ y := 0] ∈ C and ( v + β )[ y := 0] ∈ C can be performed from { ( x, y ) | ≤ x ≤ ∧ ≤ y ≤ ∧ y ≤ x } . We then have I vα = [0; 1 − x ] and I vβ = (1 − x, − y ].We now have to compute the optimal values of α and β in each of these sixsituations:1a) for the first situation, we have to maximize ( α, β ) (cid:55)→ min { β − α, x + α, x + β } over { ( α, β ) | α ∈ [0; 1 − y ] , β ∈ [0; 1 − y ] , α ≤ β } . This corresponds to case“ a ≥ c ≥
0” of Lemma 15. We get: • if − y − x ≤
0, the optimal interval for the player is [0; 1 − y ], yieldingpermissiveness 1 − y ; • if 0 ≤ − y − x , the optimal interval is [ − y − x ; 1 − y ], with permissiveness x − y .(1b) in the second situation, we maximize ( α, β ) (cid:55)→ min { β − α, x + α, x + β } over { ( α, β ) | α ∈ [0; 1 − x ] , β ∈ [0; 1 − x ] , α ≤ β } . The situation is the same asabove, and we get: • if − x ≤
0, the optimal interval for the player is [0; 1 − x ], yieldingpermissiveness 1 − x ; • if 0 ≤ − x , the optimal interval is [ − x ; 1 − x ], with permissiveness .(2a) in the third situation, we maximize ( α, β ) (cid:55)→ min { β − α, − ( x + α ) , − ( x + β ) } over { ( α, β ) | α ∈ (1 − x, − y ] , β ∈ (1 − x ; 1 − y ] , α ≤ β } . We apply Lemma 15,with a ≤ c ≤ • the first condition corresponds to x ≤ + y ; there the maximal point ismin { x − y, } , i.e. x − y , and is reached at (1 − x, − y ). Since the boundat 1 − x is strict, we take 1 − x + ε instead of 1 − x , for some arbitrarilysmall ε > • the second condition is x ≥ + y , for which the maximal value is isreached at (1 − x, − x ). Again, we have to take 1 − x + ε instead of 1 − x .(2b) in this case, we maximize the same function over { ( α, β ) | α ∈ [0 , − y ] , β ∈ [0; 1 − y ] , α ≤ β } over the zone (1 ≤ x ≤ y ≤ • the first condition is y ≥ x : in that zone, the maximal point is 1 − y ,reached for (0 , − y ); • the second condition is y ≤ x , and the maximal value 1 − x is reachedat (0 , − x ).(2c) we maximize the same function over { ( α, β ) | α ∈ [0 , − x ] , β ∈ [0; 2 − x ] , α ≤ β } . Again, the second condition holds, and the maximal value is 1 − x , reachedat (0 , − x ).(3) finally, we have to maximize ( α, β ) (cid:55)→ min { β − α, x + α, − x − β } over { ( α, β ) | α ∈ [0 , − x ] , β ∈ (1 − x ; 1 − y ] , α ≤ β } . Hence we are in case a ≥ c ≤ • when y ≥ − x and y ≥ x , then the third condition holds, and themaximal value 1 − y is reached at (0 , − y ).Now, let T x = − x and T y = − x . • the fourth condition rewrites as y ≥ x − (and the complement ofthe previous condition). For those points, the maximal value is x − y ,reached at ( − x − y , − y ). • the fifth condition is x ≥ (and the complement of the condition above).There the maximal point 1 − x is reached for (0 , − x ). • for the remaining points: we have ad = 2 − x ≥ − x = bc , and neither T y ≤ m y nor T x ≥ M x hold, so that the optimal point is 2 /
3, correspondingto ( − x, − x ).y superimposing those results and taking the maxima on cells where severalsolutions have been computed, we get the global permissiveness function depictedon Fig. 9. xy
00 11 22 23 1 − x − y x − y −∞ −∞ Fig. 9.
A linear timed automaton and its permissiveness at (cid:96) D Proof of Lemma 15
Lemma 15.
Let m α ≤ M α and m β ≤ M β , and D = { ( α, β ) ∈ R ≥ | m α ≤ α ≤ M α , m β ≤ β ≤ M β , α ≤ β } . Let f : α (cid:55)→ aα + b and g : β (cid:55)→ cβ + d be two1-dimensional affine functions, and µ : ( α, β ) (cid:55)→ min { β − α, f ( α ) , g ( β ) } . Thenthe maximal value that µ may take over D is of one of the following five forms: M β − m α , λ · f ( ν ) , λ · g ( µ ) , ad − bca − c and ad − bc ( a +1)(1 − c ) − , with λ ∈ { , − c , a +1 } and ν ∈ { m α , M α , m β , M β } . This value can be computed by checking inequalitiesbetween expressions of the same forms.Proof. We write h for the function ( α, β ) (cid:55)→ β − α . We assume that D is non-empty(i.e., m α ≤ M β ). We split the proof into four cases, depending on the signs of a and c . (cid:73) When a ≤ and c ≥ , then all three functions defining µ are maximizedwhen α = m α and β = M β . It follows that the maximal value of µ over D ismin { M β − m α , f ( m α ) , g ( M β ) } , and is reached at ( m α , M β ). (cid:73) When a ≥ and c ≥ , then for two points ( α, β ) and ( α (cid:48) , β (cid:48) ) in D with β ≤ β (cid:48) ,it holds ( α, β (cid:48) ) ∈ D and we have µ ( α, β ) ≤ µ ( α, β (cid:48) ). Hence µ is maximizedover D at a point where β = M β . It remains to maximize α (cid:55)→ µ ( α, M β ) over { α ∈ R | ( α, M β ) ∈ D } . Over R , this function is maximized for α = M β − ba +1 , where µ ( α , M β ) = min { a · M β + ba +1 , c · M β + d } . If ( α , M β ) ∈ D , this is the maximumof µ over D , otherwise the maximum is reached on the border of { α ∈ R | ( α, M β ) ∈ D } , i.e. for α = m α or α = min { M β , M α }} . β g fh D αβ f ghD αβ f hgD Fig. 10.
Four cases for the proof of Lemma 15: when a ≤ c ≥ a ≥ c ≥
0, and symmetrically, a ≤ c ≤ a ≥ c ≤ R ≥ is divided into three cells, depending onwhich function is minimal among f , g and h . In each cell, we also indicate the directionin which those functions increase. (cid:73) When a ≤ and c ≤ , then by letting α (cid:48) = − β and β (cid:48) = − α , the problem istransformed into that of maximizing µ (cid:48) ( α (cid:48) , β (cid:48) ) = min { β (cid:48) − α (cid:48) , − aβ (cid:48) + b, − cα (cid:48) + d } over D (cid:48) = { ( α (cid:48) , β (cid:48) ) | − M α ≤ β (cid:48) ≤ − m α , − M β ≤ α (cid:48) ≤ − m β , α (cid:48) ≤ β (cid:48) } . Now − c ≥ − a ≥
0, and we have reduced this case to the previous one. (cid:73)